Skip to main content

DNS CAA resource record check

Certificate authorities are required to check the CAA resource records prior to issuing certificates

Before a Certificate Authority (CA) can issue an TLS/SSL certificate for your domain, they must check, process, and abide by the domain's DNS Certification Authority Authorization (CAA) resource records (RRs). See Ballot 125 – CAA Records [PASSED]RFC 6844, and Ballot 219: Clarify handling of CAA Record Sets with no "issue"/"issuewild" property tag.

Importante

A CAA resource record is NOT REQUIRED for DigiCert to issue TLS/SSL certificates for your domains. The information provided here is only important if you are in one of these situations:

  • Have CAA resource records set up for your domains

  • Plan to add CAA resource records for your domains

For information about the benefits of CAA, see our blog, The Security Benefits of CAA.

How the CAA RR process works

Before issuing a TLS/SSL certificate for a domain, a CA (such as DigiCert) checks the domain’s CAA RRs to verify that they are authorized to issue that certificate. A CA can issue a certificate for a domain if one of the following conditions is met:

  • They do not find a CAA RR for your domain.

  • They find a CAA RR for your domain authorizing them to issue that certificate.

  • They only find CAA RRs for your domain without the "issue" or "issuewild" property tags.

CA authorization for DigiCert, Thawte, GeoTrust, and RapidSSL brand certificates

With the acquisition of Symantec's Website Security and related PKI solutions, DigiCert brought together the industry’s leading certificate brands under one Certificate Authority – DigiCert. When creating a CAA RR for yourdoman.com that authorizes DigiCert to issue TLS/SSL certificates for it (yourdomain CAA 0 issue "digicert.com"), you authorize DigiCert to issue DigiCert, Thawte, GeoTrust, and RapidSSL brand TLS/SSL certificates for that domain.

What is a DNS CAA resource record?

Certification Authority Authorization (CAA) resource records (RRs) allow domain owners to create policies that authorize specific Certificate Authorities (CAs) to issue TLS/SSL certificates for their associated domains. Domain owners can use CAA RRs to create security policies for an entire domain (e.g., example.com) or a specific hostname (e.g., mail.example.com).

When you create a CAA RR for your base domain, you create an umbrella policy for its subdomains in that policy unless you create a separate CAA RR for a specific subdomain. Do you have a CAA RR for example.com but want to create a different security policy for mail.example.com? Create an additional CAA RR specifically for the mail subdomain.

With this record created, when you order a TLS/SSL certificate for mail.example.com, the CA queries your DNS for CAA RRs for that subdomain. If the CA finds a record for mail.example.com, then the search stops, and they apply that policy to the certificate order. If the CA doesn't find a record for mail.example.com, they continue their DNS query for CAA RRs at its parent domain, example.com. If the CA finds a record for example.com, they apply the parent domain's policy to the certificate order for mail.example.com.

CAA RR property tags

You can associate multiple properties with the same domain by publishing multiple CAA RRs for that domain name. However, each CAA RR can only authorize one CA to issue certificates (or, in some instances, one type of certificate) for your domain.

To allow multiple CAs to issue certificates for your domain, you need to create at least one CAA RR for each CA (in some instances, two CAA RRs). For help setting up your CAA RRs, visit CAA Record Helper.

Authorize DigiCert to issue wildcard certificates for a domain

When you order a certificate for *.yourdomain, DigiCert includes yourdomain in the certificate at no extra cost. This poses a problem when creating “issue” and “issuewild” CAA RRs for your domains using multiple CAs.

For example, DigiCert includes yourdomain with your certificate order for *.yourdomain. Therefore, if you authorize multiple CAs to issue certificates for yourdomain, use one of the options below so that DigiCert can issue your certificates.

  1. Only use the “issue” property tag and create an “issue” CAA RR for DigiCert

    Unless you have a specific reason for creating an "issuewild" CAA RR for yourdomain, don’t. Managing only "issue" CAA RRs is much simpler:

    ejemplo 3. "issue"
    yourdomain CAA 0 issue "digicert.com"

  2. Create an “issue” CAA RR and an “issuewild” for DigiCert

    If organization policy permits it and you must create separate CAA RRs for yourdomain and *.yourdomain.com, create two rules:

    • One authorizing DigiCert to issue certificates for yourdomain

    • One authorizing DigiCert to issue certificates for *.yourdomain

    ejemplo 4. "issue" and "issuewild"
    yourdomain CAA 0 issue "digicert.com"
    yourdomain CAA 0 issuewild "digicert.com"

  3. Contact Us

    If organization policy prevents you from authorizing DigiCert to issue certificates for yourdomain, contact us. We will work to find a solution to the problem so we can issue your certificate for *.yourdomain.

How CAA RR and CNAME work together

When requesting a TLS/SSL certificate for a domain (e.g., my.blog.example.com) that contains a CNAME record pointing to another domain (e.g., my.blog.example.net), the Certificate Authority (CA) follows a specific process (laid out in the Baseline Requirements [BRs]) to locate a CAA RR authorizing them to issue your certificate.

Importante

CNAME targets

As a preventative measure against resource exhaustion attacks, a CA is only required to follow up to 8 CNAME targets (8 or fewer CNAME records: blog.example.com is a CNAME for blog.example.net, which is a CNAME for blog.example.org, and so on, eight levels deep).

The process starts at the domain name on the certificate request and continues to the top-level domain. The process will stop at any point along the way if CAA RRs are found. The CAA RRs determine whether the CA is authorized to issue your certificate.

  1. Step 1: CA checks the CAA RRs for the domain name on the certificate request–my.blog.example.com

    The search stops if the CA finds a CAA record for the domain on the certificate request. The CA checks to see if a CAA record authorizes them to issue your certificate. If they find the record, the CA issues the certificate. If they don't find the record, the CA cannot issue the certificate.

    If the CA doesn't find a CAA record for the domain on the certificate request, the CAA record search continues.

  2. Step 2: CA checks the CAA RRs for the CNAME target domain–my.blog.example.net

    The search stops if the CA finds a CAA record for the CNAME target domain. The CA checks to see if a CAA record authorizes them to issue your certificate. If they find the record, the CA issues the certificate. If they don't find the record, the CA cannot issue the certificate.

    If the CA doesn't find a CAA record for the domain on the certificate request, the CAA record search continues.

  3. Step 3: CA checks the CAA RRs for the original domain's parent domain–blog.example.com

    The search stops if the CA finds a CAA record for the original domain's parent domain. The CA checks to see if a CAA record authorizes them to issue your certificate. If they find the record, the CA issues the certificate. If they don't find the record, the CA cannot issue the certificate.

    If the CA doesn't find a CAA record for the original domain's parent domain, the CAA record search continues.

  4. Step 4: CA checks the CAA RRs for the original domain's base domain–example.com.

    The search stops if the CA finds a CAA record for the original domain's base domain. The CA checks to see if a CAA record authorizes them to issue your certificate. If they find the record, the CA issues the certificate. If they don't find the record, the CA cannot issue the certificate.

    If the CA doesn't find a CAA record for the original domain's base domain, the CAA record search continues.

  5. Step 5: CA checks the CAA RRs for the original domain's top-level domain–com.

    The search stops.

    • If the CA finds a CAA record for the original domain's top-level domain. The CA checks to see if a CAA record authorizes them to issue your certificate. If they find the record, the CA issues the certificate. If they don't find the record, the CA cannot issue the certificate.

    • If the CA doesn't find a CAA record for the original domain's top-level domain, the CA issues the certificate.